What You Should Know About Cyber Heists

Our resident security expert and a retired Army JAG David Willson, JD, LLM, CISSP, Security+, shared this blog with us on cyber heists.

A cyber heist is a robbery that occurs in cyberspace or on the Internet. Hackers usually compromise business networks with e-mail scams and phishing attacks. They also steal usernames, passwords, logon credentials, and challenge questions, and they disable alerts before initiating the heists through the bank. Cyber heists have increased in intensity and sophistication over the past three years. What can you do, as a customer or as a financial institution, to protect yourself?

How Much Security Is Necessary? How much security is necessary depends on a number of factors, including your level of risk, the amount of resources you are able to throw at the problem, the potential liability your organization may face if an incident occurs, the potential impact to your reputation, legal/compliance requirements, etc. Walk into any bank and it is apparent that a lot of money has been spent on physical security. The same needs to be true of cyber security, especially in light of the rise in cyber heists.

As a business owner or an individual customer, you shouldn’t assume the bank, or even an outsourced IT company, is keeping you and your money secure. You must understand the security procedures your bank is using and ensure the procedures your company uses are reasonable and meet your fiduciary responsibility.

Steps to Keep Information More Secure There are certain steps banks and businesses can and should take to keep information and electronic funds more secure. First of all, ensure you have conducted a risk assessment to identify the information that needs to be protected, and then draft proper policies regarding security, acceptable use, social media, passwords, etc. You must ensure your employees are trained on the latest threats and cybersecurity tips and techniques for protecting information. This may seem very basic, but the number of organizations that do not meet these standards is astonishing.

There is a security standard for banks and financial institutions. The 2011 Supplement to the Federal Financial Institutions Examination Council (FFIEC) recommends:

Annual risk assessments to evaluate high-risk transactions

Layered security for business accounts commensurate with the level of risk for the account

Processes to detect abnormal activity for an account

More education for consumers and business account holders

The following best practice tips are from Brian Krebs article, “Online Banking Best Practices for Businesses”:

Begin with a fresh operating system and use a dedicated machine for financial transactions.

If possible, avoid using a Windows operating system since most of the malware for compromising banking transactions has been created for the Windows operating system.

If you must use a Windows operating system, then use a “live CD” to protect your transactions.

Your dedicated system or computer should not be used for anything else: no e-mail, Internet surfing, etc.

If resources require you to use the same system for banking and other uses, such as Internet surfing and e-mail, do not click on links in e-mails, disable HTML in e-mails so pictures do not display, and keep the system up-to-date with patching and antivirus software.

When banking online, close all other windows except the bank window, or even reboot the machine and then open your browser to your bank URL.

Type in the URL for the bank; don’t conduct an Internet search for your bank and click on the link in the search. Or, you can simply bookmark the bank URL.

Log out of the bank site; just closing the window leaves you logged on.

Avoid opening e-mail attachments you did not expect.

Implement procedures to better control transactions, such as requiring two people to sign off on every transaction.

Conclusion Two phrases should stick in your mind: “trust but verify” and “never ready, always prepared.” Decide on the security you will employ and how you will employ it, and then document it. All parties should know and understand these procedures and agree to them. Once this is done, trust the system, but verify, especially if something seems out of the norm. Finally, remember that while you can never be ready for everything, you can be prepared for anything.